Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4820T
919293949596979899100
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is
not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still
need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and
therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the
network without compromising network security.
The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the
Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
If the supplicant fails authentication a specified number of times, the authenticator places the port in the
Authentication-fail VLAN.
If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest
VLAN and the authentication process begins.
Configuring a Guest VLAN
If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes
that the host does not have 802.1X capability and the port is placed in the Guest VLAN.
NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x
guest-vlan command from INTERFACE mode. View your configuration using the show config command from
INTERFACE mode or using the show dot1x interface command from EXEC Privilege mode.
Example of Viewing Guest VLAN Configuration
FTOS(conf-if-Te-2/1)#dot1x guest-vlan 200
FTOS(conf-if-Te 2/1))#show config
!
interface TenGigabitEthernet 21
switchport
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-Te 2/1))#
Configuring an Authentication-Fail VLAN
If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time.
NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed
Authentication.
You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by
default), after which the port is placed in the Authentication-fail VLAN.
Configure a port to be placed in the VLAN after failing the authentication process as specified number of times using the
dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum number of authentication
attempts by the authenticator using the keyword
max-attempts with this command.
Example of Configuring Maximum Authentication Attempts
FTOS(conf-if-Te-2/1)#dot1x guest-vlan 200
FTOS(conf-if-Te 2/1)#show config
!
interface TenGigabitEthernet 2/1
switchport
dot1x authentication
dot1x guest-vlan 200
no shutdown
FTOS(conf-if-Te-2/1)#
94